I sandbox all my utilities and programs in case some compromised third-party dependency decides to run lose. It's a way to limit the blast radius.

you're embedding it as a scripting api and want to limit permissions to just what's needed

The TIC-80 game engine embeds Janet, and if i recall sandboxes the games created